Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Some more posts on bugtraq about David Litchfields open letter to Oracle"] [Next entry: "WebGoat an application to learn how to hack!"]

A new paper on SQL Injection

I was told last week that David Litchfield had released two new papers, one of which is about SQL Injection. There are three main types of SQL Injection or rather ways to get the data back to the hacker after he has used a SQL injection attack. The first is in-band where the data is returned to the caller via the same query. An example would be a select statement where the hacker manages to add a union and select also the password hashes from the view DBA_USERS for instance. Then there is out of band where the same channel used to send and receive data via the SQL query being abused is not used. This is where a function such as UTL_HTTP or UTL_TCP can be used to send the data back to the hacker via another channel. The third method is inference where its not possible to get the data back through either the original channel or another alternate one. In this case the hacker can influence the database to give clues as to whether a piece of data is there or not or if it has a certain value or not. This can be as simple as causing the server to hang for 5 seconds if the data is there or no hang if not.

David's paper titled "Data-Mining With SQL Injection and Inference" is an excellent introduction to the subject with some great examples of taking the method further and not relying on the old method of adding time delays to infer a value or not. David also gives a good potted history of SQL Injection in this paper. It is well worth a read.